Glossary

Accessible Data: In a search for information during the process of discovery, accessible data is that information that resides on easily read drives or network locations.

Actual Authority: A tangible demonstration of the right to act as an agent for a principle. A power of attorney gives a person actual authority of another person’s affairs.

Admissible or Admissibility: The ability of evidence or testimony to be entered into consideration in a court of law. Generally, this is based on the factors of relevance, credibility, and competence.

Affidavit: A written statement of facts, created under oath, by the person affirming that the facts took place exactly as reported. An affidavit must be administered by a person who has been granted the authority to do so by appropriate government agencies.

After Hours Warrant: A specific order issued by a judge that allows agents of the government to execute the order during times of the day that are not generally considered normal hours for the action.

Agent of the Government: Any person, whether directly employed by a government entity or not, who is acting on behalf of such an entity is considered to be an agent of the government.

Alternate Data Stream: A file attribute that exists in the Microsoft NTFS file system that redirects the file to other data on the system. That data may be another file, or it may be data that is concealed within the file.

Antiforensics: Concentrated efforts to prevent or hinder an investigator from finding information on a system.

Apparent Authority: A reasonable appearance of either being an agent for a principle or having the power to act on behalf of a principle, whether such authority exists or not. An example would be a person who drives up in a service van with the logo of the local electric company and says she is here to read the meter. The resident allows her to enter because she appears to have the authority to do so.

Audit: To keep a detailed record of certain events as configured into the agent that is monitoring the events.

Authenticate: To verify that a user is who she says she is. Typing in a user name and password is a method that network services use to authenticate a user.

Bates Numbering: A process of applying a unique identification number to each document extracted during the discovery process.

Boolean: A type of search or data type that includes only two possible values. The name is after the inventor of binary algebra, George Boole.

Breadth: The scope of a warrant must define the probable cause upon which the writ was executed. Evidentiary materials found that are not relevant to the defined probable cause are beyond the “breadth” of the order.

Case Log: A detailed record of every task completed, every action taken, and every piece of evidence analyzed in the course of an investigation.

Chain of Custody: A document that identifies every place that a piece of evidence has occupied, every person who has handled that evidence, and any actions that were taken against it. Chain of custody records the actual time and date of each event.

Civil Action: A court trial in which one party is accusing another party of some form of wrongdoing. The defendant in a civil action does not face jail time or pay a fine, but if found guilty, may be expected to pay the plaintiff damages in the amount stated in the judgment.

Closed Container: Under U.S. jurisprudence, any opaque object that can be used to store objects that is shut at the time of inspection is considered to be a closed container. Such an object is not subject to search without a warrant, even if reasonable cause has presented the opportunity to search surrounding premises.

CLSID: Content Class Identifier. A data field in a file structure, directly following the header, that specifies the type of data that is stored within the file.

Cluster: A grouping of sectors that provides the smallest unit of data readable by a file system after the disk has been formatted.

Clusters: Two or more sectors on a hard disk that act as the smallest data unit read by the disk control.

Competent or Competence: Any evidence or testimony that is neither prejudicial or limited by statutory or constitutional constraints. In other words, the information will not unfairly sway a judge or jury’s opinion without there being any basis of fact, nor will the introduction of the information violate anyone’s constitutional rights or any existing law.

Covert Data: Data that is intentionally concealed on a system or media device for the express purpose of preventing others from finding it.

Credible or Credibility: Evidence or testimony that is easily believed without stretching reason

Criminal Action: A court trial in which one or more parties is accused of violating a law and faces penalties that may include incarceration, fines, or even capital punishment.

Curriculum Vitae: A document, similar to a résumé, that presents the pertinent facts about a person’s education, experience, and any other qualifications that render that person suitable for a particular endeavor.

Dark Data: Information intentionally hidden or accidentally lost that exists on a system.

Data Carving: A method of extracting files in their entirety from unallocated space by identifying the file header and end-of-file marker, and then copying everything between those two points into a new file.

Defendant: In a criminal or civil action, the person who is accused of wrongdoing is the defendant.

Discovery: A legal process under which each party involved in litigation provides the other party with all evidence or documentation that it intends to use in presenting its case. Failure to adequately respond to a discovery order can result in significant penalties being imposed by the court.

Exculpatory: Any evidence or testimony that deflects blame from a specific individual.

Expert Witness: A person endowed with specialized training or unique knowledge who is called upon to state an opinion, based on technical information that may be difficult for the average person to comprehend.

Federal Rules of Evidence: A document adopted by the U.S. Supreme Court that defines exactly how evidence may be obtained, what makes it admissible, and how it may be presented in a court of law.

Forensic: Belonging to, used in, or suitable to courts of judicature or public discussion and debate.

FQDN: Fully Qualified Domain Name. The name and domain level (separated by a dot) for a specific Web site on the Internet. MWGRAVES.COM is the FQDN of the author’s Web site.

Hash: A mathematical representation of a specific data repository. Many hash algorithms exist.

Hearsay: Any statement that is made outside of the proceedings by any party who was not under oath at the time the statement was made and that is not the personal knowledge of the person giving the testimony.

Host Protected Area: A partition on a hard disk, hidden by the computer manufacturer, where BIOS and device configuration information is stored.

IMAP: Internet Message Access Protocol. A more advanced protocol for receiving and opening email messages, IMAP allows users to use offline storage for incoming messages and allows multiple people to administer the same mailbox.

Inaccessible Data: In a search for information during the process of discovery, accessible data is that information that resides in locations that will require considerable effort to extract the information.

Incriminating: Any evidence or testimony that indicates the guilt of a subject in regard to a specific crime.

Inculpatory: Any evidence or testimony that directs blame to a specific individual.

Information Store: A file or collection of files used by an e-mail client to store messages, notes, calendar events, and other pieces of information the client is capable of collecting.

Internal Investigation: An inquiry made by an organization that is kept within the organization. Evidence extracted is not intended for presentation in a court of law.

Kernel Mode: A processing environment that allows full access to all aspects of the system.

Keylogger: A piece of software or hardware that intercepts each and every keystroke generated on the target computer.

Litigation: Any action brought before a court of law with the intent of enforcing a particular right or agreement. Generally speaking, litigation is a civil court action as opposed to a criminal action.

Litigation Hold: An order issued during the discovery process that instructs the recipient to cease and desist all destruction of documents, either physical or digital, until the proceedings have been completed. Another term for a preservation order.

Log File: A detailed record of every event that has occurred over a period of time in an application or a database or on a device.

Lossless: A form of data compression that restores a file precisely to its original state when uncompressed.

Lossy: A form of data compression that is unable to restore a file precisely to its original state when uncompressed.

MAC: Modify, Access, Create. These are file attributes that identify specific times and dates that each of the nominative actions occurred.

Mail Delivery Agent: A software package that sorts out incoming messages and delivers them to the correct mailbox on a mail server.

Mail Transport Agent: A software package that is responsible for moving an e-mail message from source to destination.

Mail User Agent: The software interface (or client) that allows users to send and receive email.

MD5: Message Digest, version 5. A cryptographic hashing algorithm that assigns a numerical value to a specific data repository.

Metadata: Literally speaking, metadata is information about information. A metadata file in the OS provides information about how data is stored and retrieved within the file system. Document metadata is a collection of hidden fields within the document that provides information about the document.

MIME: Multipurpose Internet Mail Extension. A file packaging standard used by e-mail messages that defines message format.

Netstat: A TCP-IP utility that identifies all network connects currently active on a network interface.

No Knock Warrant: A specific order issued by a judge that allows agents of the government to enter private property without knocking or without identifying themselves. Such a warrant is issued when there is reasonable expectation that valuable evidence will be destroyed before the executors of the warrant can secure the scene.

NSLookup: A command-line TCP-IP utility that can identify a URL by its IP address.

Null Cipher: A message-encoding technique that hides a secret message within a seemingly innocuous piece of text. The message is extracted by applying a predefined template to the carrier message, thereby extracting only the words in the text file relevant to the encoded message.

Offset: A method of obtaining an absolute address of a particular bit in memory, based on how many bits away from the base address the bit is located.

Ostensible Authority: Another term for apparent authority.

Parse: To analyze an object down to its most basic structure. To parse a file is to identify specific elements within the file, including elements not seen by the average user, such as metadata fields. A search engine parses a phrase typed in by a user by searching each individual word within the phrase as well as the phrase in its entirety.

Particularity: Warrants or subpoenas issued by the courts must be very specific in who is being targeted by the search, what is being sought, and where the evidence being sought is likely to be located. This degree of specificity defines particularity.

Partition: A logical division of a hard disk drive (or other storage medium) that divides a single device into multiple volumes.

PII: Personally identifiable information. When considering security and privacy issues, the information that is unique to a particular individual is considered sacrosanct. This is the PII that is most jealously protected.

Plain View Doctrine: A rule that states that evidence that is discovered by an agent of the government during the normal course of an arrest or interrogation, which is discovered because it existed out in the open where anyone could see it, can be seized without a warrant.

Plaintiff: In a criminal or civil action, the person who files the initial complaint is the plaintiff.

POP3: Post Office Protocol, version 3. It is a protocol that allows e-mail clients to receive and open messages.

Prejudiced or Prejudicial: Likely to sway the opinion of the average person without there being a factual foundation for the information, statement, or evidence that is being presented.

Preservation Order: A writ issued by a court ordering that no documents or other evidence be destroyed from that point forward.

Privileged Information: Any form of information that is protected from discovery during litigation. Such information includes doctor-patient communications, lawyer-client communications, or confessions made to a religious authority.

Probable Cause: A reasonable belief that an action is justified, based on circumstances or factual information that a “prudent person” would be led to believe merited such actions.

Promiscuous Mode: An operating method used by a network interface card that forces it to accept and process every packet that it receives from the network. The default configuration is to filter packets by IP or MAC address and only process packets for the device on which it is installed.

Protective Order: A writ issued by the court that prohibits the recipient from performing certain actions specific to document discovery. Generally, protective orders prohibit the disclosure of certain types of information, but they can also prohibit an unreasonable discovery request. On a physical level, protective orders are issued to put a stop to abusive behavior between two people.

Proxy: On behalf of. A proxy server is a machine that interfaces with the Internet on behalf of all the other computers on the proxy’s network.

Rainbow Tables: A collection of hash values of every character in every character set. Password-cracking software compares hash values found in the tables to those on the system, looking for possible passwords.

Reasonable Expectation of Privacy: Any set of conditions that a prudent person would consider inappropriate for sharing with the general public. Anything that a person intentionally and with foreknowledge exposes to public view is excluded from such an expectation.

Redact: To intentionally render certain information in a file or document unreadable.

Relevant or Relevance: Evidence or testimony that is relevant is both material and probative. It directly relates to the case being presented (material), and it will provide some form of information that will allow the court to better perceive the truth (probative).

Scheme: In Internet terms, the scheme is the type of protocol used to access a particular resource on the Internet.

Scope: A definition of what work is expected to be completed in the course of an investigation, taking into consideration what is allowed under the terms of the legal authorizations allowing the investigation.

Search: Any examination of a person’s body, residence, possessions, or any other aspect of that person’s being that any reasonable person would consider private.

Sector: A unit of storage on a magnetic or optical disk. Whereas data consists of individual bits, the hard disk controller reads the platter in larger units. The sector is the smallest logical collection of bytes read by the hard disk. On earlier hard disks, the sector consisted of 512 bytes. The “super sector” used in the Advanced Disk Format is 4KB.

Seizure: The acquisition or confiscation of any items found in the process of a search.

Sessionize: To break a complex network capture down to only the packets exchanged between devices during a single established communications event.

SHA256 or SHA512: Secure Hash Algorithm (256-bit or 512-bit). A cryptographic hashing algorithm that assigns a numerical value to a specific data repository.

SIM: Subscriber Identity Module. A small chip on a cellular telephone that stores information about the user and that user’s account with the service provider.

Slack Space: Space remaining in a cluster or partition that cannot be used, even though it does not contain data.

Sneak and Peek Warrant: A specific order issued by a judge that allows agents of the government to enter a private area or to monitor activities of an individual without that person’s knowledge.

Spoliation: The intentional destruction of data or evidence in an effort to prevent it from being used in a hostile manner. Generally, spoliation occurs when data is destroyed in defiance of a preservation order. However, courts have also found that destruction of information in anticipation of litigation constitutes spoliation.

SQUID: A Linux-based proxy server.

Stakeholder: Any person, organization, or other entity that has a vested interested in the outcome of a project or investigation.

Steganography: The art of concealing messages or data inside other data. Music files are often used to carry image files in a fashion that, without specific software, is undetectable to most users.

Streams: A Microsoft utility for finding alternate data streams.

Subpoena: An order directing a person or entity to appear in court on a certain date and/or to produce specific documents relevant to a legal issue.

Subpoena Duces Tecum: A writ ordering a person or an agent of an organization to appear before a court that identifies specific documents or other forms of evidence that must be presented at the time of appearance as defined by the order.

Taint Team: A group of individuals assigned by a court to oversee the discovery process in order to prevent privileged information from being inadvertently being disclosed during discovery.

Testimony: A statement made by a witness, plaintiff, or defendant that is made under oath and that presents that person’s understanding of the facts relevant to a case.

Timeline: A logical representation of all events that occurred, in the order in which they occurred, that are related to a specific incident or case.

Timestamp: A hidden field in a file or event log that identifies the exact time and date that a particular event occurred.

Triangulation: A method of locating a device transmitting a signal within a very large area, with a small margin of error, by taking three known coordinates and measuring the distance from each point to the source of the signal. When lines are drawn between the three coordinates, the device can be located where the lines converge.

Unallocated Space: Clusters on a hard disk that have not be “claimed” by a file in the file system. Deleted files become unallocated space without actually erasing the data. Therefore, unallocated space is a prime resource for locating deleted data.

URL: Uniform Resource Locator. A user-friendly (sort of) name for any particular Web site or file that can be accessed on the Internet.

User Mode: A processing environment within an operating system that offers relatively low privilege levels. Certain processes and commands are not allowed.

Warrant: An official order, issued by a person with sufficient authority, that approves a specific act. Warrants can be issued for the arrest of a person or for the search of a person or premises.

Warrens: Unconventional locations on a computer that are not generally used for storing data, but that, through special software or techniques, can be used for hiding data.

WHOIS: A TCP-IP service that returns critical data about a Web site based on its IP address.